Skip to content
conduit
Security

Trust is the product

We ask for access to your core systems — your CRM, your inbox, your data. That access is the whole relationship, so we treat it accordingly: least-privilege, fully logged, encrypted, and revocable. We treat your data like it's our own, because you're trusting us with it.

How we protect your data

Security principles

Six commitments that govern every integration we build — and the reason gatekeepers hand us the keys.

Least-privilege access

We connect with the minimum scopes a workflow needs — never blanket access. You can see exactly what the system can touch, and revoke it any time.

Full audit logging

Every action an agent takes is logged. You get observability into what the system did, when, and to which record.

Encryption end to end

Data is encrypted in transit and at rest. Secrets are managed, not hard-coded; access is scoped and rotated.

Human-in-the-loop by design

AI handles volume and tier-one; people handle judgment. We design the handoff so sensitive decisions stay with your team.

RBAC & governance

Role-based access control on integrations (Scale and up), with SSO and custom DPA available on Operate.

SOC 2 roadmap

We're building toward SOC 2, with compliant deployment options (BAA where applicable) for gated verticals.

The controls

How the system is built

Precise, sober, and honest about what's live vs. planned. We won't claim a control we don't have.

Authentication & access

SSO-first (Google / Microsoft OIDC) for the client portal, MFA enforced for admin roles, step-up auth for sensitive actions, and server-side revocable sessions.

Authorization (RBAC) & isolation

Role-based access control enforced server-side — never trusted from the client — with every query scoped to your organization to prevent cross-tenant reads.

Data protection

TLS 1.2+ in transit with HSTS; AES-256 at rest. Integration tokens and secrets get field-level encryption, keyed by a KMS-managed master key stored apart from the data.

Least-privilege integrations

We request the narrowest scopes each automation needs, you provision access, it's documented in the SOW — and it's revocable at any time.

AI data handling

We don't use your data to train general-purpose or third-party AI models, and we configure providers to exclude it. Defined exceptions escalate to a human.

Audit & observability

An append-only audit log (actor, action, before/after, IP, timestamp) on every change, with alerting on auth failures and error spikes. No secrets or PII in logs.

Compliance status

Stated plainly

What's live today and what's on the roadmap — labelled, never overstated.

Encryption in transit & at restLive
RBAC + append-only audit loggingLive
Least-privilege, revocable integrationsLive
SOC 2 Type IIRoadmap — in progress
Penetration test summaryRoadmap
HIPAA (BAA) for healthcare deploymentsOn request, gated

We never represent SOC 2 compliance until an audit is complete. Where a vertical requires it (healthcare/HIPAA, finance), we deploy only with the right posture — a BAA and a compliant configuration.

Documentation & contact

What we'll share, and how to reach us

Security Overview

A customer-facing description of our controls for your security team — shared on request, verified against the live system.

Data Processing Agreement (DPA)

Processor terms for personal data, with subprocessor list and data-residency options (Operate). Reviewed by counsel.

Subprocessor list

Hosting, CRM, analytics, email, AI model providers, and scheduling — under contract and only as needed.

Per-integration scopes

Exactly which permissions each automation requests against your tools, so there are no surprises.

SECURITY CONTACT

Security questions, or a vulnerability to report? Reach our security team at security@conduit.ai or via Contact. Evaluating an integration? Ask us for the Security Overview and DPA early — we'd rather lead with it.

Requires legal review: the binding Data Processing Agreement, subprocessor list, and customer Security Overview are reviewed by counsel and verified against the live system before they're shared. Each security claim on this page is stated as live or planned; planned controls are not represented as in place.